IN A NUTSHELL
https://www.openwall.com/lkrg
Twitter: @Openwall
Twitter: @Adam_pi3
Slide 2
Slide 2 text
/USR/BIN/WHOAMI
• Adam ‘pi3’ Zabrocki
2
• NVIDIA (currently)
• Microsoft
• European Organization for Nuclear Research (CERN)
• Hispasec Sistemas
• Wroclaw Centre for Networking and Supercomputing
• Cigital
• Bughunting (Hyper-V, KVM vGPU, Linux kernel, OpenSSH, gcc
SSP/ProPolice, Apache, xpdf, more…) – CVEs
• Phrack magazine (Scraps of notes on remote stack overflow exploitation)
• The ERESI Reverse Engineering Software Interface
Private contact:
http://pi3.com.pl
[email protected]
Twitter: @Adam_pi3
Slide 3
Slide 3 text
ACKNOWLEDGMENT
Alexander Peslyak (Александр Песляк) a.k.a. Solar Designer
3
Special thanks to the following people for the constructive criticism and brainstorming
in the past stages of the project development:
• Rafał“n3rgal” Wojtczuk
• Brad “spender” Spengler
• PaX Team… I mean “pipacs”
The following people also had impact on LKRG:
• Mariusz Zaborski – code cleanups (and hopefully more in the future)
• Ilya Matveychikov – bypass techniques, which shaped up protections
• Michael Larabel (Phoronix) – benchmarks, which led to optimizations
• Patrick Schleizer (Whonix) – packaging with DKMS for Debian-compatibles
• Everyone who supported the project on Patreon
Slide 4
Slide 4 text
4
WHAT IS LKRG?
❖ LKRG – Linux Kernel Runtime Guard (self-explanatory ;p)
Slide 5
Slide 5 text
5
WHAT IS LKRG?
❖ LKRG – Linux Kernel Runtime Guard (self-explanatory ;p)
❖ Open Source project under GPLv2 License
Slide 6
Slide 6 text
6
WHAT IS LKRG?
❖ LKRG – Linux Kernel Runtime Guard (self-explanatory ;p)
❖ Open Source project under GPLv2 License
LKRG
Integrity checking
& anti-exploitation
System integrity Task integrity
x86(-64) ARM ARM64
Critical CPU
metadata
Critical kernel
variables
.text section
(kernel + modules)
Critical
attributes
Control flow
Slide 7
Slide 7 text
7
WHAT IS LKRG?
❖ LKRG – Linux Kernel Runtime Guard (self-explanatory ;p)
❖ Open Source project under GPLv2 License
LKRG
Integrity checking
& anti-exploitation
System integrity Task integrity
x86(-64) ARM ARM64
Critical
attributes
Control flow
Slide 8
Slide 8 text
8
WHAT IS LKRG?
❖ LKRG – Linux Kernel Runtime Guard (self-explanatory ;p)
❖ Open Source project under GPLv2 License
LKRG
Integrity checking
& anti-exploitation
System integrity Task integrity
x86(-64) ARM ARM64
Critical
attributes
Control flow
Detects unsupported kernel modifications
Default response:panic the kernel (milder
response would be ineffective)
Slide 9
Slide 9 text
9
WHAT IS LKRG?
❖ LKRG – Linux Kernel Runtime Guard (self-explanatory ;p)
❖ Open Source project under GPLv2 License
LKRG
Integrity checking
& anti-exploitation
System integrity Task integrity
x86(-64) ARM ARM64
Detects unsupported kernel modifications
Default response:panic the kernel (milder
response would be ineffective)
Slide 10
Slide 10 text
10
WHAT IS LKRG?
❖ LKRG – Linux Kernel Runtime Guard (self-explanatory ;p)
❖ Open Source project under GPLv2 License
LKRG
Integrity checking
& anti-exploitation
System integrity Task integrity
x86(-64) ARM ARM64
Detects kernel exploitation process
Default response:kill the task
Detects unsupported kernel modifications
Default response:panic the kernel (milder
response would be ineffective)
Slide 11
Slide 11 text
11
WHAT IS LKRG?
❖ Officially, LKRG is distributed as source code:
❖ https://www.openwall.com/lkrg/
❖ https://github.com/openwall/lkrg
Slide 12
Slide 12 text
12
WHAT IS LKRG?
❖ Officially, LKRG is distributed as source code:
❖ https://www.openwall.com/lkrg/
❖ https://github.com/openwall/lkrg
❖ LKRG as a package:
❖ ALT Linux
❖ Arch Linux (aur)
❖ Astra Linux
❖ Debian and Ubuntu (reusing the Whonix/Kicksecure package)
❖ Gentoo Linux (Pentoo Overlay)
❖ Whonix and Kicksecure
❖ + a few other less known
Slide 13
Slide 13 text
13
WHAT IS LKRG?
❖ Officially, LKRG is distributed as source code:
❖ https://www.openwall.com/lkrg/
❖ https://github.com/openwall/lkrg
❖ LKRG as a package:
❖ ALT Linux
❖ Arch Linux (aur)
❖ Astra Linux
❖ Debian and Ubuntu (reusing the Whonix/Kicksecure package)
❖ Gentoo Linux (Pentoo Overlay)
❖ Whonix and Kicksecure
❖ + a few other less known
❖ LKRG-aware exploitation frameworks:
❖ Metasploit bails out
❖ Exploit-suggester bails out
Slide 14
Slide 14 text
14
ANTI-EXPLOITATION
❖ The aim of it is to detect kernel exploitation process by detecting specific data
corruption in the kernel
Slide 15
Slide 15 text
15
ANTI-EXPLOITATION
❖ The aim of it is to detect kernel exploitation process by detecting specific data
corruption in the kernel
Critical process’ and
system’s attributes
Poor man's Control
Flow Integrity
(pCFI)
Slide 16
Slide 16 text
16
ANTI-EXPLOITATION
❖ The aim of it is to detect kernel exploitation process by detecting specific data
corruption in the kernel
Critical process’ and
system’s attributes
Poor man's Control
Flow Integrity
(pCFI)
• Illegal Elevation of Privileges (EoP):
• Token / pointer swapping
• Illegal call to commit_creds()
• Overwriting the cred / real_cred structures
• Sandbox escapes (e.g. Chrome sandbox):
• Overwriting seccomp configuration
• Overwriting seccomp rules
• Various namespace escapes
• Various container escapes (e.g.Docker /
Kubernetes / etc.)
• Illegal changes of:
• CPU state e.g. SMAP / SMEP / WP / MSR
• Any part of the kernel or modules
Slide 17
Slide 17 text
17
ANTI-EXPLOITATION
❖ The aim of it is to detect kernel exploitation process by detecting specific data
corruption in the kernel
Critical process’ and
system’s attributes
Poor man's Control
Flow Integrity
(pCFI)
• Illegal Elevation of Privileges (EoP):
• Token / pointer swapping
• Illegal call to commit_creds()
• Overwriting the cred / real_cred structures
• Sandbox escapes (e.g. Chrome sandbox):
• Overwriting seccomp configuration
• Overwriting seccomp rules
• Various namespace escapes
• Various container escapes (e.g.Docker /
Kubernetes / etc.)
• Illegal changes of:
• CPU state e.g. SMAP / SMEP / WP / MSR
• Any part of the kernel or modules
• It might detect (and block)
• Return-Oriented-Programming (ROP)
• Stack-pivoting attacks
• It might detect illegal control flow:
• From non .text section pages
• From dynamically generated executable
pages
• From pages not belonging to the kernel
(e.g. user-mode pages)
• When attacker bypasses SMEP protection
Slide 18
Slide 18 text
18
ANTI-EXPLOITATION
❖ Examples
❖ Detection of calls into kernel APIs from non-code pages (CVE-2017-1000112)
Slide 19
Slide 19 text
19
ANTI-EXPLOITATION
❖ Examples
❖ Detection of calls into kernel APIs from non-code pages (CVE-2017-1000112)
Slide 20
Slide 20 text
20
ANTI-EXPLOITATION
❖ Examples
❖ Detection of calls into kernel APIs from non-code pages (CVE-2017-1000112)
Slide 21
Slide 21 text
21
ANTI-EXPLOITATION
❖ Examples
❖ Detection of calls into kernel APIs from non-code pages (CVE-2017-1000112)
Slide 22
Slide 22 text
22
ANTI-EXPLOITATION
❖ Examples
❖ Detection of calls into kernel APIs from non-code pages (CVE-2017-1000112)
26
ANTI-EXPLOITATION
❖ Limitations – Bypassableby design (for now) – difficult to protect
from the same trust level
▪ Fly under LKRG’s radar:
✓ Overwrite critical metadata not guarded by LKRG
✓ Try to win races
✓ Move attack to userspace
▪ Attack (disable) LKRG and continue normal work:
✓ Try to win races (corrupting LKRG’s database)
✓ Attack LKRG’s internal synchronization / locking
✓ Find all LKRG’s running contexts and disable them + block a new one
▪ Directly attack the userspace via kernel (e.g. DirtyCOW)
Slide 27
Slide 27 text
27
SYSTEM INTEGRITY
❖ Calculate hash from the critical [meta]data – SipHash
❖ Guarded regions:
▪ Critical (V)CPU/core data – Inter-Processor-Interrupt (IPI) is sent to the individual core in all
(V)CPUs to exclusively run LKRG’s guard function (IDT/MSR/CRx/etc.)
▪ LKRG keeps information about how many (V)CPU/cores are „online” / „offline” / „possible”
▪ Entire Linux kernel .text section
▪ This covers almost entire Linux kernel itself, like syscall tables, all procedures, all function, all
IRQ handlers, etc.
▪ Entire Linux kernel .rodata section
▪ Entire Linux kernel exception table
▪ Critical global system variables, like:
▪ selinux_enabled
▪ selinux_enforcing / selinux_state
▪ Supervisor Mode Execution Protection (SMEP) and Supervisor Mode Access Prevention (SMAP)
▪ CR4.WP
▪ All dynamically loaded modules AND their order in the internal structures
▪ Optionally,it is possible to enable guard of the entire IOMMU table
Slide 28
Slide 28 text
28
SYSTEM INTEGRITY
❖ Calculate hash from the critical [meta]data – SipHash
❖ Guarded regions:
▪ Critical (V)CPU/core data – Inter-Processor-Interrupt (IPI) is sent to the individual core in all
(V)CPUs to exclusively run LKRG’s guard function (IDT/MSR/CRx/etc.)
▪ LKRG keeps information about how many (V)CPU/cores are „online” / „offline” / „possible”
▪ Entire Linux kernel .text section
▪ This covers almost entire Linux kernel itself, like syscall tables, all procedures, all function, all
IRQ handlers, etc.
▪ Entire Linux kernel .rodata section
▪ Entire Linux kernel exception table
▪ Critical global system variables, like:
▪ selinux_enabled
▪ selinux_enforcing / selinux_state
▪ Supervisor Mode Execution Protection (SMEP) and Supervisor Mode Access Prevention (SMAP)
▪ CR4.WP
▪ All dynamically loaded modules AND their order in the internal structures
▪ Optionally,it is possible to enable guard of the entire IOMMU table
SELinux escape
Often changed by rootkits
Detects SMAP / SMEP
bypasses
30
PERFORMANCE AND SCALABILITY
❖ LKRG with default protections enabled:
CPU: Intel Xeon E-2176G @ 4.70GHz (6 Cores / 12 Threads)
OS: Ubuntu 18.04
• The newest version (0.8) has overhead around ~2.5%
All details are available in PERFORMANCE file
• Performance impact was also comprehensively evaluated by Phoronix:
https://www.phoronix.com/scan.php?page=article&item=lkrg-08-linux&num=1
❖ Scalability:
• We do NOT expect a significant increase in LKRG's overhead with a higher number
of concurrently running processes. LKRG's process tracking database uses a hash
table of RB trees with per-hash-bucket read/write-locks.